HELO iss.net MAIL FROM: "Klaus, Chris (ISSAtlanta)" RCPT TO: "'bugtraq@securityfocus.com'" Subject: ISS X-Force: Multiple vulnerabilities in SMTP protocol Synopsis: It has come to our attention that several vulnerabilities exist within the SMTP protocol. Vulnerabilities exist which can cause spoofed email mails, as well as SPAM relays in misconfigured servers. We believe this to be a serious issue that requires immediate attention. Affected Versions: All servers that follow RFC 821. Description: RFC 821 outlines a method of exchanging 'E-Mail' over internetworked computers. These vulnerabilities may be exploited using various methods. The most common method of exploiting the SMTP spoofing bug is to visit the popular website http://www.cyberarmy.com and search for E-Mail spoofers and/or bombers. Another serious threat inherent in this protocol is that which allows unauthorized users to forward unsolicited commercial email (SPAM). There are several programs that exist in the wild which exploit this vulnerability. Recommendations: ISS X-Force recommends that all vulnerable SMTP servers be turned off immediately. Until vendors issue a patch, ISS X-Force recommends reverting to traditional pen-and-pencil based methods of communication. Credits: This vulnerability was discovered by members of the irc channel #phrack on the Eris Free IRC network. We'd like to thank everyone who has helped to investigate this vulnerability in a timely manner. About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide.